Php – How to secure a directory in Apache using a PHP session

apache-2.2authenticationPHP

I have a site that uses PHP session for authentication. There is one directory that I would like to restrict access to that does not use any PHP, it's just full of static content.

I just don't know how to restrict access without every request going through a PHP script. Is there some way to have Apache check the session credentials and restrict access like Basic Auth?

Best Answer

Unless you've changed the settings, PHP session data is stored in a variation on its own serialize() format in a temporary directory, and it's not easy to get at that without using PHP itself.

unfortuantly, you appear to want the speed of static served files while dynamically authorising each request, which are not really compatible goals. You might comprimise by having a super-light PHP script which you then use mod_rewrite to rewrite requests to files within it to, which passes though things that are fine. Super simple example:

.htaccess:

 RewriteEngine On
 RewriteMap auth prg:auth.php
 RewriteRule (.*) ${auth:$1}

auth.php:

#!/usr/bin/php
 <?PHP
 set_time_limit(0); # This program needs to run forever. 
 $stdin = fopen("php://stdin","r"); # Keeps reading from standard in
 while (true) {
        $line = trim(fgets($stdin));
        if (isset($_SESSION['USER_LOGGED_IN'])) {
                echo $line\n";
        } else {
                echo "authfailed.html\n";
        }
 }

notably, that PHP script is running forever, so you'll need to restart apache if you change it, I think.

This is all untested, but that's roughly the direction I think you'd have to go in.

References:

Related Solutions

Pass username from apache Basic Authentication to cherrypy

I have added a header to pass the authenticated user based on apache.

RewriteEngine On
RewriteCond %{REMOTE_USER} ^(.*)$
RewriteRule ^(.*)$ - [E=R_U:%1]
RequestHeader set X-Remote-User %{R_U}e

Php – With PHP installed, Apache is (comparatively) slow at serving static content

It depends on how do you configure apache with php, how you optimize your configuration. If php is configured with CGI interface, then apache will pass only certain type of files to the php externally (same way as done with nginx for example), so there is 0 impact on other files, in case of module it might be faster with dynamic pages, because it's not calling php externally, but might be slower for others because php module is loaded with apache all the time, despite it's still active only for certain type of files (according to mimetype).

Yes/No
Use mod_fcgid with php

Example of php configured as module, which parses only .php files (RHEL5/6, Fedora):

[root@main ~]# cat /etc/httpd/conf.d/php.conf
#
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#
<IfModule prefork.c>
  LoadModule php5_module modules/libphp5.so
</IfModule>
<IfModule worker.c>
  LoadModule php5_module modules/libphp5-zts.so
</IfModule>


#
# Cause the PHP interpreter to handle files with a .php extension.
#
AddHandler php5-script .php
AddType text/html .php

#
# Add index.php to the list of files that will be served as directory
# indexes.
#
DirectoryIndex index.php

#
# Uncomment the following line to allow PHP to pretty-print .phps
# files as PHP source code:
#
AddType application/x-httpd-php-source .phps

Best Answer

Related Solutions

Pass username from apache Basic Authentication to cherrypy

Php – With PHP installed, Apache is (comparatively) slow at serving static content

Related Topic